1. Statement of the Technical Field
The present invention relates to systems and methods for browsing the World Wide Web (WWW). More particularly, the present invention relates to systems and methods for protecting web based applications from Cross Site Request Forgery (CSRF) attacks.
2. Description of the Related Art
Web-based applications are subject to CSRF attacks. CSRF is generally a method for forging and sending requests across Web sites for the purpose of causing damage to certain Web sites. CSRF attacks are powerful and straight forward attacks that can totally subvert the security of web applications. CSRF attacks target both the integrity and the confidentiality of a web application. For example, a CSRF attack can cause changes on a server without a user's approval and/or cause private data to be disclosed to an unknown third party.
CSRF attacks typically occur when a user opens a rogue web application in parallel to a target web application (e.g., in a separate browser tab). CSRF attacks can also occur subsequent to a visit to the target web application by a user (if the web application does not clean up user credentials when the user navigates away from the target web application). The rogue web application can misuse a user's privilege to cause sever-side actions on a user's behalf and to retrieve confidential data from requests (e.g., JavaScript Object Notation requests) using JavaScript Hijacking attacks.
Some safeguards and implementations exist to prevent CSRF attacks. However, these safeguards and implementations suffer from certain drawbacks. For example, the conventional safeguards and implementations employing POST requests (rather than GET requests) offer incomplete security against CSRF attacks. The conventional safeguards and implementations require a relatively large amount of effort and time to develop.